def check_is_admin(roles): """Whether or not roles contains 'admin' role according to policy setting. """ init() if isinstance(roles, RequestContext): # the target is user-self credentials = roles.to_dict() target = credentials return policy.check('context_is_admin', target, credentials) else: return policy.check('context_is_admin', {}, {'roles': roles})
def enforce(context, action, target, do_raise=True): """Verifies that the action is valid on the target in this context. :param context: ironic context :param action: string representing the action to be checked this should be colon separated for clarity. i.e. ``compute:create_instance``, ``compute:attach_volume``, ``volume:attach_volume`` :param target: dictionary representing the object of the action for object creation this should be a dictionary representing the location of the object e.g. ``{'project_id': context.project_id}`` :param do_raise: if True (the default), raises PolicyNotAuthorized; if False, returns False :raises nova.exception.PolicyNotAuthorized: if verification fails and do_raise is True. :return: returns a non-False value (not necessarily "True") if authorized, and the exact value False if not authorized and do_raise is False. """ init() credentials = context.to_dict() # Add the exception arguments if asked to do a raise extra = {} if do_raise: extra.update(exc=exception.PolicyNotAuthorized, action=action) return policy.check(action, target, credentials, **extra)
def enforce(context, action, target, do_raise=True): """Verifies that the action is valid on the target in this context. :param context: ironic context :param action: string representing the action to be checked this should be colon separated for clarity. i.e. ``compute:create_instance``, ``compute:attach_volume``, ``volume:attach_volume`` :param target: dictionary representing the object of the action for object creation this should be a dictionary representing the location of the object e.g. ``{'project_id': context.project_id}`` :param do_raise: if True (the default), raises PolicyNotAuthorized; if False, returns False :raises ironic.exception.PolicyNotAuthorized: if verification fails and do_raise is True. :return: returns a non-False value (not necessarily "True") if authorized, and the exact value False if not authorized and do_raise is False. """ init() credentials = context.to_dict() # Add the exception arguments if asked to do a raise extra = {} if do_raise: extra.update(exc=exception.PolicyNotAuthorized, action=action) return policy.check(action, target, credentials, **extra)
def check_is_admin(context): """Whether or not role contains 'admin' role according to policy setting. """ init() credentials = context.to_dict() target = credentials return policy.check('context_is_admin', target, credentials)
def before(self, state): user_id = state.request.headers.get('X-User-Id') user_id = state.request.headers.get('X-User', user_id) tenant = state.request.headers.get('X-Tenant-Id') tenant = state.request.headers.get('X-Tenant', tenant) auth_token = state.request.headers.get('X-Auth-Token', None) creds = {'roles': state.request.headers.get('X-Roles', '').split(',')} is_admin = policy.check('is_admin', state.request.headers, creds) state.request.context = context.RequestContext( auth_token=auth_token, user=user_id, tenant=tenant, request_id=context.generate_request_id(), is_admin=is_admin)
def before(self, state): user_id = state.request.headers.get('X-User-Id') user_id = state.request.headers.get('X-User', user_id) tenant = state.request.headers.get('X-Tenant-Id') tenant = state.request.headers.get('X-Tenant', tenant) domain_id = state.request.headers.get('X-User-Domain-Id') domain_name = state.request.headers.get('X-User-Domain-Name') auth_token = state.request.headers.get('X-Auth-Token') creds = {'roles': state.request.headers.get('X-Roles', '').split(',')} is_public_api = state.request.environ.get('is_public_api', False) is_admin = policy.check('admin', state.request.headers, creds) state.request.context = context.RequestContext( auth_token=auth_token, user=user_id, tenant=tenant, domain_id=domain_id, domain_name=domain_name, is_admin=is_admin, is_public_api=is_public_api)
def before(self, state): user_id = state.request.headers.get('X-User-Id') user_id = state.request.headers.get('X-User', user_id) tenant = state.request.headers.get('X-Tenant-Id') tenant = state.request.headers.get('X-Tenant', tenant) domain_id = state.request.headers.get('X-User-Domain-Id') domain_name = state.request.headers.get('X-User-Domain-Name') auth_token = state.request.headers.get('X-Auth-Token', None) creds = {'roles': state.request.headers.get('X-Roles', '').split(',')} is_admin = policy.check('admin', state.request.headers, creds) path = utils.safe_rstrip(state.request.path, '/') is_public_api = path in self.public_api_routes state.request.context = context.RequestContext( auth_token=auth_token, user=user_id, tenant=tenant, domain_id=domain_id, domain_name=domain_name, is_admin=is_admin, is_public_api=is_public_api)
def before(self, state): ctx = state.request.context is_admin_api = policy.check('admin_api', {}, ctx.to_dict()) if not is_admin_api and not ctx.is_public_api: raise exc.HTTPForbidden()